The federal government has opened the consultation process on draft legislation expanding its digital identity scheme to state governments and the private sector, with plans to put current privacy rules into law and establish a permanent oversight agency.
It comes more than two years after a Privacy Impact Assessment recommended that legislation be created around the digital identity project, which was launched five years ago.
The scheme received $250 million in the October budget, doubling the overall funding for the project, which is being led by the Digital Transformation Agency (DTA). The project aims to provide a whole-of-government way to prove identity across a range of government and private sector services.
It has four key elements, including the Trusted Digital Identity Framework, a set of rules governing participation in the scheme, and digital identity providers – currently Australia Post and the ATO’s myGovID.
Currently only public sector agencies can be accredited under the scheme, and the digital identities can only be used to access a limited set of government services. Legislation is required to expand the scheme to state and territory governments and private sector organisations, a longer-term aim of the project.
The DTA has now opened consultations and published a discussion paper outlining broad plans for the bill and posing a number of questions.
The legislation will establish a permanent Oversight Authority to govern the digital identity scheme, make the current privacy rules law and allow for the use of biometrics technology.
An interim Oversight Authority within the DTA is currently fulfilling this role, with the future legislation to make this permanent and set out the authority’s functions, capabilities and powers. This could be with the creation of a new Commonwealth entity, an existing entity or a new Corporations Act company.
The Oversight Authority will be given the power to set and maintain the rules for the digital identity scheme through legislative instruments, such as the accreditation requirements, ongoing obligations and rules.
The discussion paper pointed to the shared responsibility for the Consumer Data Right between the Australian Competition and Consumer Commission and the Office of the Australian Information Commissioner as a possible approach to follow.
“This may cost less and mean existing mature processes could be used to speed up implementation and provide a ‘one-stop-shop’ to stakeholders about related issues,” the discussion paper said.
The Oversight Authority will be required to publish an annual report and annual transparency report and maintain a digital identity participant register.
Under the legislation, a number of advisory committees will also be established to provide advice to the authority.
The government also plans to charge some entities looking to participate in the scheme, and the Oversight Authority will be responsible for determining how this will work. Users will not be charged to create a digital identity or use this to access services.
The legislation will also likely enshrine current privacy and security safeguards under the TDIF into law, and may also require that any company participating in it, even with turnover under $3 million, be subject to the Privacy Act.
The scheme will remain voluntary under law, although the discussion paper said it is not realistic to require all entities offering digital identity to offer an alternative.
“There are many smaller public and private sector services that can provide only one mechanism to verify identity. Requiring these types of relying parties to have an alternative to digital identity for an individual to prove their identity may be unreasonable, given they will need to set up and maintain multiple systems and channels,” the discussion paper said.
“Therefore, requiring certain relying parties such as local councils, small government agencies or the private sector to provide an alternative channel will not be practical.”
The legislation will also include prohibitions on the use of information for commercial reasons. It will allow for the use of biometrics information but will require it to be deleted after it has been used and limit the collection of data.
It will however allow for a random sample of biometric information from the digital identity scheme to be used by participating entities to test algorithms.
“In any digital system that uses biometric information, there is a balance between preserving individual privacy and using biometric information to make the system more secure, useful and transparent,” it said.
“The system is designed to offer users the safest, most convenient and transparent system possible. For this to happen, it is proposed that the legislation would allow highly vetted technicians to randomly sample the biometric information on the system for testing purposes.”
“It would also mean that anonymous aggregate information could be used to create more accurate transparency reports, so the public can see how accurate the algorithms are. Without allowing some access by these technicians, any accuracy testing will be approximate since it will rely on lab experiments rather than actual data.”
The DTA will take submissions on the discussion paper until 18 December, with a further round of consultations after a draft version of the legislation is released.